In its new FBI Internet Crime Report, the FBI said it received 467,361 internet and cyber-crime complaints in 2019, and that almost half of the reported losses — an estimated $1.77 billion — came from reports of BEC (Business Email Compromise), also known as EAC (Email Account Compromise) crimes.
FBI Internet Crime Report 2019: https://pdf.ic3.gov/
These figures reinforce the fact that cyber-crime is a lucrative business worth billion, a statistic that will only encourage an increase in illegal activity in the long-term. Despite these troubling headlines, many businesses are still not getting the message about the risk posed by hackers, who are seeking to exploit security vulnerabilities in all areas of organisations.
Increasingly, mobile devices used by workers on the move are a target for cyber-criminals, and the sheer amount of mobile threats is growing much faster than it did for PCs. The reason portable devices are major targets is that they are full of personal and financial information. For example, most devices have banking features backed up inside that are rich pickings for hackers.
Cyber criminals are always hunting for security weaknesses in businesses, so it is crucial that those vulnerabilities are spotted and remediated by automated cyber security technology. All organisations must put resilience at the heart of every security strategy, to boost the cyber immune system through self-healing endpoint security systems and keep criminals locked out.”
According to the FBI, both the number of ransomware incidents and the total ransomware-related losses continued to increase in 2019. It\’s interesting to see this trend gaining momentum regardless of the ever-increasing investment in cybersecurity solutions that should have stopped ransomware from infecting user devices and causing damage. Typical anti-ransomware solutions use endpoint security agents that are embedded in the operating system and try to protect it from malicious software. However, this approach is bound to fail as the underlying operating systems are bloated monolithic operating systems written decades ago and have hundreds of millions of potentially vulnerable lines of code. The current cat-and-mouse approach to fighting ransomware will not solve the problem – enterprises and individuals seeking to protect themselves against ransomware should consider fully segregating/isolating their sensitive resources, both local files and access to sensitive cloud resources.
Business Email compromise, or (BEC), has been around for a number of years, but continues to evolve, bringing with it significant losses and frustration. It is typical for BEC scams to mimic executives or managers within organizations in order to use their authority to convince employees to perform unusual or dangerous actions that result in redirected funds. This same basic scheme of pretending to be someone they are not, is used to get people to purchase gift cards, pay fake invoices, redirect paychecks and even redirect down payments and escrow funds in real estate transactions. There is no limit to the types of attempted scams using the moniker of executive leadership.
These phishing attacks often rely on emotional triggers to do their dirty work. This includes the fear of disappointing the boss and losing their job, the promise of something for nothing, or even just the feeling of being helpful. These attacks will always include a sense of urgency in an effort to keep people from asking questions or applying critical thinking to the situation. In all my years of watching these attacks, I have yet to see one asking people to take their time completing whatever task has been provided.
The most effective method to defend against these attacks is to train users about the methods being used, and also teaching them the signs to look for in emails to see if they are genuine. Checking the \”reply-to\” address and hovering over any links in the emails looking for misdirection is crucial to spotting these scams. In addition, a simple policy that states that any emails requesting a monetary transfer over a certain amount must be confirmed with a phone call to a known good phone number. Simply picking up the phone to confirm the request, whether it be for a wire transfer or a request to purchase gift cards, can stop these attacks in their tracks.
When dealing with real estate transactions, it is becoming more common to see a section on the contract that specifies the only account number that will be used for transferring down payments or escrow deposits.This is a step that protects the organization and the purchaser against scammers trying to redirect these funds.
I initially thought this might be Iran or nation state related as the oil and gas, critical infrastructure caught my eye. Open source intelligence seems to greatly concur that this is indeed a criminal group, Orangeworm, and not a nation state. They are quite sophisticated in their selective targeting, pivoting, long term data collection investment, and tool development. For criminal groups they are up there in terms of maturity. Normally the targeting of industrial control system companies or the systems themselves is reserved for well-funded nation state groups. However, we\’ve seen this type of targeted attacks on oil and gas industries before by the \”Seldon\” phishing criminal group out of Russia – although Orangeworm appears to be much more sophisticated.
Targeting critical infrastructure requires domain knowledge outside of just writing and deploying Windows malware. This includes knowing the operational technology processes and process controls, nonstandard or proprietary \”OS\” based PLCs, the movement cross air gaps and different communication protocols, often proprietary, than are often used on the regular internet.
This is not to say a criminal group cannot achieve acquiring this knowledge, but there doesn\’t really seem to be a precedent for it yet. Additionally, you don\’t necessarily need to write the next \”Stuxnet\” to do considerable reputational or economic harm to critical infrastructure companies. Or to make money off them – which I\’m guessing is the goal here.
If the group are targeting the manufacturers or suppliers of industrial control system devices, it is actually quite an interesting and fantastic way to get a potential, frightening foothold in any organization that uses that technology. By somehow infecting some device or software in the supply chain of a PLC, and having that deployed to an energy company that uses that PLC would require, again, some advanced knowledge of how these devices work and are used, and that information is not impossible to acquire.
These findings from the FBI are shocking but unfortunately just confirm what we have already seen in the security market – that email attacks remain the most popular types of attack for criminals. This may be surprising for some readers who might think email has been around long enough to be protected, or might have suspected more complex malware based attacks such as ransomware to be more prevalent. However, remember that complex attacks are also expensive and complicated for criminals to execute. Email attacks, on the other hand, are relatively simple, cheap and easy for criminals to execute. While organisations still remain vulnerable to such attacks, why would criminals spend time and effort trying something else?
Many organisations remain vulnerable to email attacks because criminals have updated their methods to stay ahead of traditional email security. Most businesses are protected against the volume spam email campaigns that were once in vogue. In response, criminals have turned to Business Email Compromise (BEC) attacks – highly targeted phishing campaigns aimed at \”high value\” individuals in the business, such as the CEO or the finance department. By using an email address similar to a trusted company address, criminals can trick an employee into giving away valuable information at almost no cost. These attacks are harder for traditional pattern-matching techniques to catch so organisations have to update their email security technology in kind. Multi-layered content analysis, which thoroughly checks each individual feature of an email before it gets to the sender, has proved effective at stopping these very convincing spoof emails, which led to almost two billion dollars lost in the US in the last year alone.